vrr/DockFlare
2
0
Fork 0
mirror of https://github.com/ChrispyBacon-dev/DockFlare.git synced 2026-04-28 11:49:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
DockFlare/CLI_USAGE.md
ChrispyBacon-dev b7a83e84fb
Some checks are pending
Docker Image Build and Push / build_self_hosted (push) Waiting to run
Details
Docker Image Build and Push / build_github_hosted_fallback (push) Blocked by required conditions
Details
application update before delete duplicated access policy
2025-10-10 13:35:38 +02:00

5.2 KiB
Raw Blame History

DockFlare CLI Utilities

Cleanup Duplicate Policies

DockFlare now includes a CLI utility to detect and remove duplicate reusable policies in your Cloudflare account.

Problem

When running multiple DockFlare instances (local + deployed) or experiencing state.json drift between instances, duplicate policies with the same name can be created in Cloudflare. This utility consolidates them by keeping the oldest policy and deleting newer duplicates.

Usage

Preview (Dry Run) - Recommended First Step

docker exec dockflare python -m app.cli cleanup-duplicate-policies --dry-run

This will:

  • Scan all reusable policies in your Cloudflare account
  • Identify policies with duplicate names
  • Show which policies would be deleted (newer ones)
  • Show which policy ID would be kept (oldest one)
  • Show state.json updates that would be made
  • Make NO actual changes

Execute Cleanup

docker exec dockflare python -m app.cli cleanup-duplicate-policies --apply

This will:

  • Delete all duplicate policies (keeping the oldest)
  • Update state.json to reference the correct policy IDs
  • Actually make changes to your Cloudflare account

What It Does

  1. Fetches all reusable policies from your Cloudflare account
  2. Groups policies by name to identify duplicates
  3. Sorts by creation date - keeps the oldest policy for each name
  4. Checks Access Applications - identifies which applications are using duplicate policies
  5. Updates & Deletes - for each duplicate:
    • Updates affected applications to use the kept policy ID
    • Then deletes the duplicate policy
  6. Updates state.json - ensures all access groups reference the correct (kept) policy ID

Example Output

============================================================
DUPLICATE POLICY CLEANUP UTILITY
============================================================
Mode: DRY RUN (no changes will be made)

Step 1: Fetching all reusable policies from Cloudflare...
Found 15 total policies

Step 2: Grouping policies by name...

Step 3: Identifying duplicates...
✗ Found 2 policy names with duplicates:

  Policy: 'DockFlare-Default-Public-Access-Bypass' (3 instances)
  Policy: 'DockFlare-AccessGroup-idp-blocker' (3 instances)

Total policies to delete: 4

Step 4: Checking Access Applications for policy usage...
Found 12 Access Applications to check

Step 5: Processing duplicates...

Processing: 'DockFlare-Default-Public-Access-Bypass'
  ✓ Keeping: ID=abc123 (created: 2025-01-01T10:00:00Z)
  ✗ Would delete: ID=def456 (created: 2025-01-02T11:00:00Z)
  ✗ Would delete: ID=ghi789 (created: 2025-01-03T12:00:00Z)

Processing: 'DockFlare-AccessGroup-idp-blocker'
  ✓ Keeping: ID=jkl012 (created: 2025-01-01T09:00:00Z)
  ⚠ Found 2 Access Application(s) using duplicate policies:
    - App: 'DockFlare-app1.example.com' (domain: app1.example.com)
      Using policy: mno345
    - App: 'DockFlare-app2.example.com' (domain: app2.example.com)
      Using policy: pqr678
  📝 Updating applications to use kept policy ID jkl012...
    ✓ Updated app 'DockFlare-app1.example.com': mno345 → jkl012
    ✓ Updated app 'DockFlare-app2.example.com': pqr678 → jkl012
  ✗ Would delete: ID=mno345 (created: 2025-01-02T10:00:00Z)
  ✗ Would delete: ID=pqr678 (created: 2025-01-03T11:00:00Z)

Step 6: Updating state.json with correct policy IDs...
DRY RUN: Would update state.json with the following changes:
  Group 'public-default-bypass': def456 → abc123 (policy: DockFlare-Default-Public-Access-Bypass)
  Group 'idp-blocker': mno345 → jkl012 (policy: DockFlare-AccessGroup-idp-blocker)

============================================================
SUMMARY
============================================================
Total policies scanned: 15
Duplicate policy names found: 2
Policies that would be deleted: 4
Policies that would be kept: 2
============================================================

Safety Features

  • Dry run by default - You must explicitly use --apply to make changes
  • Keeps oldest policy - Ensures you don't lose the original policy
  • Access Application protection - Automatically updates applications to use kept policy before deletion
  • Updates state.json - Automatically fixes references to deleted policies
  • Detailed logging - Shows exactly what will be (or was) done

When to Use

  • After discovering duplicate system policies (DockFlare-Default-*)
  • After running multiple DockFlare instances that created duplicate user policies
  • Before major version upgrades to clean up your Cloudflare account
  • When troubleshooting policy-related issues

Notes

  • The utility requires DockFlare to be configured with valid Cloudflare credentials
  • It operates on all reusable policies in your account, not just DockFlare-managed ones
  • Automatically handles Access Applications - The utility detects apps using duplicate policies, updates them to use the kept policy, then safely deletes duplicates
  • Safe execution order - Applications are updated BEFORE policies are deleted, preventing any downtime or access control gaps
  • Always run with --dry-run first to preview changes
  • Deletion is permanent and cannot be undone (except by recreating policies manually)